Intelligence Report: Equation Group

Executive Summary

The Equation Group, active since 2001, is a highly advanced and secretive computer espionage organization. The first report on Equation was published by Kaspersky during their 2015 Security Analyst Summit. The malware used in their operations, dubbed EquationDrug and GrayFish, is capable of reprogramming hard disk drive firmware. The group is using advanced techniques, predilection for strong encryption methods, and high degree of covert behavior. There are indications of about 500 malware infections by the group’s tools in at least 42 countries.



The group was named Equation due to the hackers’ evident fondness for encryption algorithms and obfuscation strategies as well as the sophisticated methods used throughout their operations. The Equation malware uses a specific implementation of the RC5 encryption algorithm. Some of the most recent modules also use RC6, RC4, and AES, in addition to other cryptographic functions and hashes.

These tweets are from the Kaspersky 2015 Security Analyst Summit:

  • The #EquationAPT group is probably one of the most sophisticated cyber-attack groups in the world.
  • The #EquationAPT group interacted with other powerful groups, such as the #Stuxnet and #Flame groups.
  • Two zero-day exploits were used by the Equation group before they were integrated into #Stuxnet.


Equation Group Key Points

  • “Fanny”, which is one of the malwares used by Equation Group, was able to penetrate isolated systems which are not connected to the internet such as nuclear power plants and electricity companies, by storing itself on a USB stick, infecting the isolated system, and then sending all information when it is plugged into a computer connected to the internet.
  • “Grok” is another malware used by the group, which is a key-logger that steals user names and password to various websites which are accessed through the infected computer.
  • Some C&C servers used by the Equation group were registered as far back as 1996.
  • The earliest known malware samples were compiled in 2002.
  • Equation interacted with, and appears superior to, the Stuxnet and Flame groups due to earlier access to key exploits.


List of Relevant Signatures & Indicators

Check Point sees active infected hosts in Europe, US and the Persian Gulf.

The following IPS protections, Anti-Virus and post-infection Anti-Bot indicators are related to vulnerabilities used by the Equation Group:

  1. The IPS blade contains at least five different protections which will protect customers by ensuring these vulnerabilities will not be exploited by the Equation Group:
    1. CVE-2010-2568: Microsoft Windows Shell LNK File Parsing Code Execution (MS10-046)
    2. CVE-2012-0159: Microsoft Windows Malformed TrueType Font Remote Code Execution (MS12-034)
    3. CVE-2012-1723: BlackHole Toolkit v2 JAVA Payload Stage Code Execution
    4. CVE-2012-4681: Oracle Java 7 Applet RCE Gondvv
    5. CVE-2013-3918: Microsoft Windows InformationCardSigninHelper Class ActiveX Control Code Execution (MS13-090)
  2. The Anti-Virus blade will prevent the malware from infecting customers and networks while the post-infection Anti-Bot blade will detect computers or networks already infected with the malware:
    • The blades include 113 indicators which were first published on Feb 17th


Unique Methods of Hard-Disk Firmware Infection A unique feature of some tools from the Equation APT group astounded researchers and engineers around the world with an unprecedented technological feat: both EquationDrug and CrayFish had a plugin in place that enables the functionality of reprogramming hard drive firmware. This never-before-seen technique abuses the firmware upgrade feature of hard drives and solid state disks by various vendors and models, to write specific code into these secret compartments, invisible to operating systems and typically left unnoticed even in rigorous forensics examinations.

This specially crafted code enables persistence of the Equation tools (or ‘implants’, as they term them), even following HD complete wipe and clean operating system installation. The reprogrammed firmware will trigger after installation is complete and re-infect the computer as needed. The unique HDD firmware infection is the persistence feature – survivability of the breach.

This capability requires a significant engineering effort, including specific targeting and testing on each designated HDD or SSD model, testifying to the proportions of man-months and millions in USD invested into creating this ability alone. It is unlikely that we will see this implemented by common cybercriminals anytime soon, due to the complexity and effort required to repurpose the software.


Synopsis The Equation group is a highly sophisticated organization that has engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” (a sophisticated malware toolkit) threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber-attack groups in the world, and is currently the most advanced threat actor.